Non-secure contact pages (Australian Banks)
I lost my credit card a few days ago and as soon as I realized that, I called up my bank. When searching for the right number to call, I went to their website and found my way to the contact page. As I was dialing the first digits of the number, I noticed something seriously wrong: the page was not secure (ie no HTTPS). I stopped. I began googling the phone number and only after seeing it on several places did I call the number to order a new card.
After the call, I wondered if it was only my bank. I was saddened to see that out of 40 banks and credit card providers in Australia, only 7 had secure contact pages. I have notified most of the others about the issue.
If your bank is one of those with non-secure contact pages listed further down the page, you should do a little research online first before trusting the information on those pages.
For those of you who’re not aware of ramifications of a non-secure website, I’ll quickly explain why it’s important. The content of a secure page is encrypted and can only be seen by your computer and computers at your bank. No one in the middle, including your ISP, etc. can see what that content is nor can they change it without you noticing. A non-secure page on the other hand is visible to everyone in the path between you and the website. This becomes important when malicious parties can get in the middle. This is the case when using public WiFi in a coffee shop for instance. In these situations, it is easy for the malicious party to redirect your traffic so s/he can see and change it as it’s passed onto you. They can then replace the phone numbers with those of their fake call center and steal your credentials and empty your account.
If the fake call centre seems involved, the non-secure nature of the website has yet another significant implication: the login link to online banking can be changed to point to a malicious replica.
Kudos to the banks below for protecting their users against phishing attacks:
- AMP Bank Limited
- ANZ
- American Express
- Arab Bank Australia
- Commonwealth Bank
- Lombard Finance
- UBank
Following banks and credit card providers serve their contact pages over non-secure HTTP:
- 28degrees Mastercard
- Aussie
- Bank of China Australia
- Bank of Melbourne
- Bank of SA
- Bank of Sydney
- bankmecu
- Bankwest
- Bendigo Bank
- BOQ
- Citibank
- Coles
- Community First
- CUA
- Defence Bank
- Delphi Bank
- GE Money
- Heritage Bank
- HSBC
- IMB
- ING Direct
- Jetstar
- Macquarie Bank
- Members Equity
- NAB
- QTMB
- Rural Bank
- St. George
- Suncorp
- Teachers Mutual Bank
- Virgin Money
- Visa
- Westpac